Introduction

A web client to made AJAX request for resource on other domain than is source domain.

This article will focus on HTTP Request Preflight feature proposed by CORS W3C specification and (mainly) how to setup a protection, on web application side, against CORS HTTP request that try to bypass the preflight process.

Request preflight process overview

In order to not duplicate explanation, and because Mozilla wiki have a great introduction article about CORS, you can read a description of the process using link below:

Risk

Request preflight have to objective to ensure that HTTP request will not have a bad impact on data, this, using a first request in which browser describe the final HTTP request that will send later.

The main risk here (for web application), is that the request preflight process is entirely managed on client side (by the browser) and then anything warrant web application that the request preflight process will be always followed...

A user can create/send (using tools like Curl,OWASP Zap Proxy,...) a final HTTP request without previously send the first request for preflight and then bypass request preflight process in order to act on data in a unsafe way.

Countermeasure

We must ensure the Request Preflight process compliance on server side.

To achieve it we will use JEE Web Filter that will check every CORS request using theses steps:

Step 1 : Determine the type of the incoming request,

Step 2 : Process request according to is type using temporary cache to keep state of preflighting step of the process.

Note:W3AF audit tools (http://w3af.org) contains plugins to automatically audit web
application to check if they implements this type of countermeasure.

It's very useful to include this type of tools into a web application development process in order to
perform a regular automatic first level check (do not replace an manual audit and manual audit must be also conducted regularly).